Perguntas & Respostas

Pergunta #1: Okay. One of our viewers was curious to know what's your browser of choice?

Answer: Firefox. I am a huge, huge, huge supporter of open-source. Open-source is best source. I encourage everyone to support open-source software whenever they possibly can. I love Firefox because it's so modular. There's so many different add-ons available, tons of different security plugins and add-ons and that stuff. It's all open-source, all free, so yeah. Mozilla's awesome. Firefox for the win.

Pergunta #2: If your databases gets compromised, can they be code or password?

Answer: Can they what? Sorry.

Pergunta #3: If your database got compromised, can they be code or password?

Answer: Well, the passwords are usually hashed and salted, so it can be done, yeah. If you do suspect that your database was ever compromised, it's best to just assume that they were compromised, that all the passwords were hacked, right? It's better to be paranoid. Being actually paranoid is a really big asset when you're working with security.

If there's any modifications done to your database that you didn't authorize, any spam links, whatever, change your database passwords, change all of your wp-admin administrator passwords. It's better just to assume. The passwords can be compromised, yes. It does take a little bit of coaxing and trickery, and it can be done. Just assume that they were hacked, yes.

Transcrição

Ben Martin

Hello, everyone. Thank you very much for attending our Webinar on how to fix your hacked WordPress websites. I work at Sucuri. I've worked at Sucuri for three years, and I work on the remediation team. I'm part of the team that goes in and identifies where the malware is, removes the infection, and tries to identify new kinds of malware, new kinds of hacks that are going on and occurring.

Just a little bit about me before we begin. I'm from beautiful Victoria, BC, Canada. There's a couple other Sucuri employees that live and work here, as well, so if you're ever in the area, come say hi. I've worked in software and security for a total of six years, and I've cleaned a lot of WordPress websites.

We're not leaning in just to WordPress. We do a lot of ... Clean a lot of Magento eCommerce websites, JOON, like Drupal, MODX, whatever. We'll clean whatever you can throw at us. But for the purposes of this webinar, we're just going to be focusing on WordPress. WordPress, of course, is the most common CMS, and it's very frequently ... It's the platform that we deal the most often with.

Part of my job is to identify new strings of malware, sending samples to our research team, identifying trends and what's going on in the website security world. I also last year spoke at WordCamp in Vancouver, and Toronto and Portland. I've broken down this presentation into three different sections, so the first one's going to be just signs that your website was compromised. I've actually worked with clients that their website was hacked years ago and they had no idea.

Without proper monitoring in place and logging things, modifications to files, you can ... Your site can be hacked and you had no idea, so it's really important to take that into account. Also, the next section is how to actually find the malware and remove it, how to identify where it's coming from, what the culprits are.

The third section is what to do after a hack, and this is arguably the most important part of ... A lot of people forget, so we need to take some proactive measures to make sure that the bad guys aren't going to come back the next day, because you don't want to be back at square one, right? Without further ado, how to tell if your website was compromised.

There's a number of different symptoms that you want to look out for, and I'll just briefly go over each one of those here. Of course, the most obvious one is that your website has been blacklisted. Google, of course, is the most common one, but other search engines, like Bing and Yandex and what not, also maintain their own blacklists. Anti-virus vendors, such as Norton, McAfee, MalwareBytes, maintain their own blacklists, as well, and we maintain a blacklist, also.

If you want to check to see if your website is blacklisted, mosey on down to virustotal.com. Type in your website domain name and it will check your website against a whole bunch of different blacklists to see if it's getting flagged anywhere. There's an example in the Java Right of a website that getting flagged by five different vendors.

In this presentation, I've included as many practical examples as I can because it's one thing to talk about website security, but it's another thing to actually understand what you're looking at and be able to understand what you're seeing, right? I've included as many practical screenshots and examples as I can. Also, one thing that's really important is to listen to your website visitors, and what they're reporting on your site.

You might not be getting any warnings on your end, but they might be using a different anti-virus program, for example. They might be getting warnings, and you're not. Pay careful attention to what your website visitors are saying. If you try to access a website that is blacklisted by Google, you're going to see something like this. Pretty strong indicator that something's gone wrong, right?

This is the most common way that people realize that their website has been compromised. The second thing that you want to look at for is if you see any spam in Google search results. Spam infections are actually really, really common on websites. If you notice some sort of weird contents showing up in Google-related to your website, for example, pharmaceuticals, adult content, or I've even seen cat food spam.

There's all sorts of strange stuff, and so what you can do is go to Google and type in site, colon, and then your domain name. Google will give you a result of all the links that have been crawled there. If you see stuff like in the example screenshot there, then there's a strong likelihood that your website has been hacked. Especially if it's a website that doesn't sell pharmaceuticals, right?

If Google does suspect that there is spam on your website, they're going to label it with, "This site might be hacked," right? It's important to recognize the different warnings that Google will show.

If your website is throwing malware or redirecting visitors to exploit kit landing pages, they're going to issue a different warning that says, "This site might harm your computer," right? If you find that your website traffic is getting redirected elsewhere, so for instance, if you try to access your website, and all of a sudden you end up at an adult dating website, then that could be attackers that are redirecting your traffic to a location of their choice.

Sometimes, it's just, sort of, innocuous spam, but other times it could be something way more serious. Like phishing pages or ransomwear, exploit kits, that kind of stuff. The image on the right is a hacked HT access file, which I'm going to go into a little bit more detail later.

But suffice it to say any visitor to your site that matches one of the listed user agents is going to get redirected to the Russian bogus domain at the bottom. Again, make sure that you listen to what your visitors are reporting.

It was a really common infection that we saw last year where only traffic from mobile devices was getting redirected to adult dating websites. Sometimes, it can only affect certain user agents, certain computers, and other ones, the website functions normally. If you notice any weird popups, new tabs opening up, popups, pop-unders. This is a strong sign that there's been some malicious or spamming modifications made to your website.

If you've noticed that every time you go to your site, all of a sudden you get some weird pages like the one displayed here. That's a big red flag, for sure. You can also use our very handy site check tool which is free. You can go to www.sitecheck.sucuri.net, and scan your website for malware and spam. It will also check your website against a number of different blacklists, so it's a very useful tool to see if there's any malicious stuff loading.

We update sitecheck very frequently. Malware's changing all the time, right? There's always new variants of code, new infections going around. We update sitecheck frequently to make sure that it's catching the most ... Especially the most common malware that we see. Of course, if you go to your website and it looks something like this, that's a pretty strong indicator that you've been hacked.

Defacement attacks like this are very unsophisticated, very basic, but they do happen. It's kind of scary to go to your site and see something like this, right? All right, cool. We've decided ... We've determined that you website is compromised. What do we do now? Well, WordPress is a really powerful platform, particularly because it's so straightforward and so easy to use.

But for that same reason, it's actually fairly easy to determine the source of hacked WordPress website because the platform is so straightforward, and you can actually ... Even if you're not super sophisticated with the backend of websites or malware or whatever, you can go through the process of elimination using some tools to basically find the source of the problem that way.

Well, what I'm going to do is I'm going to go through this whole list here of core files, plugins, etc, and elaborate a little bit on each section. We can just go through them one by one by one, and eventually we'll find the source of the hack, right?

If you're wondering what this weird thing on the right is, that's a nice juicy piece of malware, heavily ofisgated to code. I want to go through a couple of tools that you're going to want to be familiar with before we begin.

All these tools are free, not going to cost you any money. Unfortunately, I can't go into super, huge detail about all of them because I can do a whole ... A webinar just on this slide. But I do want to mention them before we get started. This Sucuri scanner WordPress plugin is a really good tool to have. You can download it for free from WordPress.org, and it's a really good diagnostics, sort of, monitoring tool.

It'll check your core files, the core integrity of your files. It'll log who's logging in to your WP admin page, and from which IP and when. It's a very useful thing to have. You're also going to want to have an FTP client, so like FileZilla, so you can actually check the files on your server.

Also, please be sure to install a script blocker, such as NoScript for Firefox, which is a browser add-on. Google Chrome has a very similar one, several to choose from. But basically, the script blocker is the most important tool that someone could have in their arsenal when they're working with hacked WordPress websites, because you don't want your computer to get infected when your trying to fix the hack, right?

Make sure you're not allowing scripts to execute, and that way you can protect your browser from getting infected, too, right? VirtualBox, or Vmware. Some sort of virtualization tool is a very useful thing to have. That way, you can work in a, sort of, sand box environment, where you don't have to put your main computer at risk. Ad blocker is also very useful. There's been quite an increase in malvertising lately.

Rogue ad networks, bogus ad networks riding trojans and bad stuff. Actually, uBlock Origin's my favorites, and it's actually quite a good diagnostic tool and it can help check all sorts of different third party content that's loading on your website. If you need to check your database, you can use phpMyAdmin or Adminer. phpMyAdmin is available for your cPanel. If you don't have cPanel, you can head on down to Adminer.org.

That will allow you to connect to your database and check for spam and Iframes and that kind of stuff, anything weird that's loading. Honorable mention goes to a user agent switcher. Some malware or spam will only deploy if it's a certain user agent that's triggered. It's really common, for example, for spam only to show the search engines, but won't show to regular website visitors, right?

Of course, the support forums at WordPress.org are a really important thing to use. There's a really great community in place that can help you troubleshoot, help guide you in the right direction if you're kind of lost and not really sure what to do or where to look. I do want to say that it's really important to back up your website first before you make any changes here, because removing malware can be tricky.

Especially if you're not entirely sure what you're doing, you can damage your website and leave yourself with a blank white screen of a website. Of course, a blank white screen is the cleanest website you can possibly have, but it's not particularly useful, right? Make sure you or your hosting provider has a full backup of your files, backup of your database, because you don't want to lose all your hard work, right?

If anything goes wrong, you want to be able to reset, and go back to square one and try again, right? That's particularly true if you've made any modifications to your theme files, any customizations to the code that you're using. You want to make sure that you backup everything before we begin, okay?

The first thing that we can go through here are the core files. For those of you who don't know, the core files are wp-includes, wp-admin, and the files in the root of your website. There's some files that tend to get infected more frequently than other ones. For example, the index.php file is very common. We can see on this screenshot here from our Sucuri scanner plugin that this person's index.php file has been modified and has had a whole bunch of code added to it.

I know from working with WordPress sites quite a bit that that's a really big index.php file. It's been modified, there have been some code added to it. That's a very big red flag, and in all likelihood, that file has had malware added to it.

Same with the wp-tron, right? You want to make sure that you have some sort of monitoring in place to check to see when your core files were modified, if they were modified, because if something bad happens, you need to know about it, right? If you're really not sure, you can just download a fresh copy of WordPress from WordPress.org and just replace all your core files, and just overwrite it with known good columns, right?

This is an example of an infected wp-load.php core file. You can see all the code at the bottom is legitimate, but there's two big, ugly strings of encrypted code at the top, right? Labeled with, "Do not delete," of course. It's really common for malware to be encrypted like this, and WordPress does not allow encryption to be used in any files that are part of the ...

Any software part of the repository, so if you see something like this, it's a pretty big red flag, right? The next thing you want to check are your theme files. This is a really common place to hide malware, and the reason being is because no matter what page or post your visitors are on, these theme files are going to be in use.

They're going to be loaded, so it's a very effective way of deploying malware, and making sure ... Because the attackers want to infect as many visitors as they can, for the most part, right? In this example image, we can see that the header.php file was modified recently at a totally different date than all of the rest of the files that are within the theme, right?

This is a really common thing that I do if ... For example, if a client comes to us with an infected website and we scan it, and everything seems clean, I always check the theme files first, right? Because it's just ... It's one of the most common places to check. Common files: index, header, footer, functions, 404 not php. These are all files that you're going to want to check.

Again, much like the core files, if you're just not sure at what you're looking at and you're kind of not comfortable with this, download a fresh copy of your theme, and upload it and reinstall it, and that will just fix any modifications that have been made.

Again, I want to remind you, if you've made any modifications to your theme files, any customizations, anything like that, make sure you have a backup. Another technique that we use is if we suspect perhaps it's the theme, but we're not sure. What you can do is download a copy of one of the default WordPress themes from WordPress.org. Something like 2016, 2015, whatever.

Switch your active theme with that, and if the problem still remains ... Or if the problem is fixed, then you know it's your theme, right? For instance, there's sitecheck was flagging some spam or flagging some malware on your website. You switch to a new theme, and you re-scan and it's clean. You know it's the theme, right? Here's an example of an infected header.php file.

We see all the code here is legitimate except when we get to the bottom, where we see weird, ugly, purple string of numbers. When decoded, all this script does is just redirect someone to a bogus pharmacy website. But the reason it's encoded like that is because if you noticed that your website traffic was redirecting to boguspharmacy.com, you could just search your website files for pharmacy, and you would find your culprit right away.

This is the motivation behind a lot of the encryption ofisgation in use that we see, right? Plugins are the next thing that you're going to want to check. Plugins are very problematic, particularly old, out of date plugins. They pose a whole big, set of problems. Out of date plugins are one of the most common reasons why websites get attacked due to vulnerable code in them.

You want to make sure your plugins are up to date all the time. Plugin files are also a pretty common place for attackers to place back doors. Also, malware can be hiding in plugins. Bad guys can add malicious codes to plugins, and if the plugin is active, then the code will be present on your site, right? With both themes and plugins, please avoid using pirated software.

It's almost always infected, so you want to make sure you're using legitimate sources for the software that you're using. Much like the themes, if you are not sure what to do, just remove any plugins you're not using, download fresh copies of the ones that you are, replace the files with fresh copies. Here is an example of paves that world very familiar with, wp-admin page full of a whole slew of out of date plugins.

This is something you want to avoid. Make sure you update, update, update. Security guys can't stop saying that enough. This is an interesting example. This is a bogus plugin, entirely bogus. But unlike a lot of the malware that we see, it's not encrypted, it's not ofisgated, it's properly formatted, indented. It looks normal at first glance.

But what this plugin code actually does is generate a whole thousand of bogus torrent download links through your website. It doesn't have to be encrypted to be bad. The database is the next thing you want to check. This is a really common place for spam to hide, so if you see spam being flagged by sitecheck, or you see spam in Google search results, it's ... There's a very good chance that it's been lodged into your database somewhere.

But also, like the example in the image here shows, it's also somewhere where they can inject malicious code also. Just for those of you that don't know, the database is where all of your, sort of, content is stored. If you make a blog post that says, "Hello world," the text, "Hello world," is loaded into the database.

That's also where your settings are stored, theme settings, user settings, all that kind of stuff. For example, this is a really common kind of infection that we see here. If you look at the top, it says style display equals none. The code is there, but it's not displayed. You can look and just be browsing your website like normal, everything seems fine.

But when search engines browse the page, they see all these spam links. That can really hurt your website's SEO, actually, and that can take a while to repair that. .htaccess, very interesting file. .htaccess files, sort of, instructs how certain link's behavior on your website is handled. On the right is what the default WordPress .htaccess file looks like.

Certain plugins will make legitimate changes to .htaccess, so for instance, cashing plugins or some security plugins will modify it. But this is also a pretty common place for attackers to insert bad code, especially when it applies to redirects. If some of your traffic is being redirected to places it shouldn't, make sure to check your .htaccess file.

If you wanted to redirect a user somewhere else, that's usually where you'd do it. But it's also where you can, for example, redirect http traffic to https. There's legitimate uses for it, of course. But it's a pretty common place for attackers to modify. This is a really interesting example of a spammy .htaccess file. Very interesting to look at, but actually what it does is, you guessed it, spam links in Google. This allows for all sorts of spammy stuff to generate.

There's a lot of different variations of this kind of malware, and we can see from the top of the file there how it's referencing index.php. That's because the index.php file was modified, also. Advertising networks can be problematic. A lot of website owners choose to employ the use of advertising networks on their website, and that's fine.

But they can post their own set of problems, especially less reputable, less well-known advertising networks can have problems of malvertising rogue ads that deliver trojans to visitors. It can be quite difficult to troubleshoot this, particularly if you're using multiple advertising networks. It can be hard to, sort of, track down which one it's coming from. We see this problem a lot of video streaming websites that employ three or four different ad networks.

I would recommend that everyone ... If you do choose to run ads on your site, use a well-known, reputable network, and none of the cheap ones. This is an example of some bogus ad networks that were injected into a client's database. There were thousands of these links, and what it did was any time anybody clicked on one of the links on the page, it would redirect them to stamp sites, right?

Sometimes, it can actually be the server itself. This is not as common, but sometimes the server can itself be rooted, can be compromised. You notice this weird EyeFrame that's generating on all the pages, but it's also happening to 150 other people that are all on the same server, right? These are really tricky to handle. It is possible to clean a rooted server, but really the ...

What we would recommend doing that's, sort of, safest option is to migrate your website to another server, change all of your passwords, and ideally the server should be wiped and reformatted because it's hard to know if it's fully fixed, right? On this topic, make sure your hosting provider considers security to be a priority, because when things go wrong and your website gets compromised, your hosting provider is ...

You're going to need to be in touch with them, and it's good that they have good support, and takes security seriously, right? The last thing I want to mention here is back doors. They're the trickiest part of all of this, right? Attackers will sometimes inject maybe one or two back doors onto the server. Sometimes they'll upload hundreds of them, or sometimes in every single php file that they can find.

For instance, your website traffic is getting redirected elsewhere. You found the infected file in the header of your theme. You remove the malware, and the redirect is gone. Awesome. Great. The job's done, but you'll have exactly the same problem tomorrow because attackers always make sure that they can maintain access, right? Actually, a pretty common thing for them to do is to place a back door on the server, and then wait for weeks or longer.

Then they'll deliver the payload, and the reason for that is because a very common thing for people to do when they realize they've been hacked is to restore back up from a week or two ago. Well, the back door's still there, so it'll still have access. We find new kinds of back doors all the time.

There's new ones being written constantly, and it can be really tricky to track them all down. This is why it's important to make sure that you have some sort of a logging of what files have been modified on your server. Also, a useful trick if you're not sure what you're looking for or where, you can check your server logs to see if there are any files that are being directly accessed from stringing IP addresses, or whatever.

We've written a little bit about finding and removing back doors on our blog at Sucuri.net, and I'd suggest giving that a look and checking that out. Just so you know how to recognize a back door when you see one, there's one injected at the very top of this file. Now this was a client's footer.php from their theme, and at the top you can see the part ... The first opening and closing php tag, where it says, "Base64 decode post zed zero eval."

Basically, if that code exists, is present in one of your files, attackers can send a request to it, and the back door will do the attackers bidding, essentially. You don't want to find yourself just back at square one after you worked so hard to get the infection removed, right? I wanted to mention just a couple other helpful resources that are useful when dealing with hacked sites.

Of course, sitecheck.Sucuri.net, as I already mentioned, is very useful. Redlands file viewer at Aw-snap.info is also super helpful for fighting spam, malvertising, redirects, that kind of stuff. Webpagetest.org is also quite helpful. What it will do is it'll load your website and just log every single thing that's loading.

All the third party content, all of the files. It just gives you a nice, long list that you can investigate. Portswigger is a very useful application testing tool. Very useful for determining malvertising, if any third party content on your site is causing issues. It's a little bit more advanced, so if you're not super tech-savvy, you might want to hold off on that one.

But very fun to mess around with, and if you find a nice encrypted chunk of php code, and you want to see what's inside, you can mosey on down to ddcode.com, or unphp.net, and it will attempt to decrypt it and deofisgate it to let you know what's hiding inside. All right. We've found the infection, we've removed the malware.

What do we do now? This is the part that people very frequently overlook, and we have to remember that the attackers are going to be back, right? One they determine that this is a vulnerable website, we can exploit that, they'll just do it again, and again, and again, and again, because they know that the root causes are rarely addressed. A lot of site owners don't update their plugins. They don't change their passwords.

They don't update WordPress, so we need to just leave no stone unturned. Make sure you update all your stuff here, and just acknowledge that the attackers are ... They will be back, and as much as working with a hacked website can be stressful, nobody really wants to do it. No one wants to get hacked, but this is just the reality, right? The most important thing is update, update, update, update.

I can't stop saying this enough. Out of date software is by far the leading cause of infection, and you want to make sure that your website is properly maintained, properly updated, all the time. This is a constant process. This is not something that you can just do once, and then forget about it.

There's new updates constantly, right? Please make sure that you're taking proactive steps to maintain your website properly, and this is really the best thing you can do to prevent attacks. Change all your passwords after a compromise, and just assume that all of your passwords were leaked, right? FTP, cPanel, wp-admin, everything.

Just change them all. You can be too careful, right? I would recommend that you use a password manager like LastPass, and in my line of work, I've seen some atrociously bad passwords. Please make sure that your passwords are complex but their difficult to brute force. Can't be too careful, right? Review who has access to your website, also. I've seen WordPress sites with 15 or 20 different admin users.

Only give administrative access to who absolutely needs it and for the amount of time that they need it for, at which point, revoke their access. I've seen cases where a client had hired a developer to work on their site a year ago, and they just left the admin account there. The password was weak, and it was brute forced, and their website was compromised because of it.

Have as few admin users as possible. It's also not a bad idea to have a separate account that you use for just basic stuff, like updating blog posts and uploading media files, that sort of thing. Then a separate admin account for doing admin stuff that you keep under lock and key. A nice term that we like to use in the security world is 'decreasing the attacked surface.'

What that means in simple terms is just decrease the amount of things that could possibly go wrong. What that means is getting rid of plugins that you're not using, getting rid of old themes that you're not using anymore. If you have any old versions of your website, and backups and whatever, laying on your server, migrate them off. Just have as few stuff on your server as necessary, and that'll really go a long way in preventing problems in the future.

You also want to make sure you scan your work station. This is really important because if your work station, your laptop, whatever website, or whatever computer you use to work on your websites, if it's infected, that can cause your website to get infected, too. I remember a client I worked with once, he followed our post-infection steps to a tee. He changed all of his passwords.

He updated all of his stuff, and he was hacked again two days later because his computer was infected. It had a trojan keylogger on it, and when he updated the password to the new one, they just stole it again. You want to make sure your scanning your work station effectively and frequently, because that's another piece of the puzzle that we don't want to forget, right?

Make sure you have a backup schedule. Make sure that you're performing backups of your websites regularly, and that they're not stored on your production server. We do have a backup service for $5 per website per month. It's very easy to use. There's a ton of other backup services, too. Some hosting providers perform backups for you, but this is something you want to make sure you have a spare tire, as it were, if something was wrong.

This is a screenshot from our backup service, and it's very easy to use. Super nice, simple interface, and it'll just do a backup of your site every day. You can download them at your leisure, whenever you need a copy. You can also perform some hardening of your websites. This image here on the right is an .htaccess file, which you can place in wp-content/uploads or in image directories, places where php just doesn't need to execute from.

The WordPress security scanner plugin can help you with this. You can also add some additional security rules to your wp-config file such as disallowing file edit. In that sense, even if your wp-admin page is compromised, the files can't be actually modified.

Some developers really like file edit function. It's very convenient, but unfortunately, convenience and security don't always get along super well. Last but not least, use a web application firewall. We offer one called Cloud Proxy, which is part of our security services. It will proactively defend your website against attacks. In fact, the malicious requests won't even touch your server at all because we will filter it out through our servers, right?

We're constantly updating Cloud Proxy to make sure that it's catching the newest attacks, the newest attempts at compromise. It can help against brute force attacks, and attempts to access your wp-admin page.

It can do a whole lot, and it's really good for just peace of mind knowing that you have some layer of defense between you and your website, and the broader web, right? Yeah. That's pretty much it. I hope you all found that helpful and informative, and yeah. If any of you guys have any questions, then yeah. I would love the answer them.